[sudo-users] sudo driven by LDAP accepting any passwd

Wes Rogers wrogers at gmail.com
Sat Oct 21 10:51:38 EDT 2006


I feel dumb.  As soon as I fired off this email to the list, I
realized that it was a PAM configuration error.  On my FC3 x86_64
systems, /etc/pam.d/sudo was configured incorrectly.

At least it was that simple.

Wes

On 10/20/06, Michael Potter <pottmi at gmail.com> wrote:
> Wes,
>
> A very nasty problem indeed.  I don't know much about ldap itself, but I had
> success looking at the sudo log and the syslog to track down authentication
> problems in the past.  On my mac the authentication subsystem has it's own
> logs that intermix with the sudo entries in syslog.  That made it easy to
> see what was wrong.
>
> Good luck,  please report back what you find to be the solution.
>
> --
> Michael Potter
>
>
> On 10/20/06, Wes Rogers < wrogers at gmail.com> wrote:
> >
> > I've got a large setup of centralized sudo in LDAP.
> >
> > Everything works fine, except I noticed today one very nasty problem.
> >
> > If you are a user that is allowed sudoers access, you can type a
> > command that is permitted to you and if you type an incorrect passwd,
> > it proceeds anyway.
> >
> > Has anyone came across this, and if so, what did I miss?  Here is some
> > examples of the setup :
> >
> > dn:
> cn=defaults,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> > objectClass: top
> > objectClass: sudoRole
> > cn: defaults
> > description: Default sudoOption's go here
> > sudoOption: ignore_local_sudoers
> > sudoOption: logfile=/var/log/sudolog
> > sudoOption: insults
> >
> > dn:
> cn=testrole,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> > cn: testrole
> > description: Testing
> > objectClass: top
> > objectClass: sudoRole
> > sudoCommand: ALL
> > sudoUser: +testusers
> > sudoHost: +testhosts
> >
> > dn:
> cn=testusers,ou=Users,ou=Netgroups,ou=blah,dc=blah,dc=com
> > cn: testusers
> > objectClass: nisNetgroup
> > objectClass: top
> > nisNetgroupTriple: (,testuser,)
> > description: Testing Users
> >
> > dn:
> cn=testhosts,ou=Hosts,ou=Netgroups,ou=blah,dc=blah,dc=com
> > cn: testhosts
> > description: Test Servers
> > objectClass: nisNetgroup
> > objectClass: top
> > nisNetgroupTriple: (testhost1,,,)
> >
> > testhost1$ sudo su -
> > LDAP Config Summary
> > ===================
> > host         10.0.0.1 10.0.0.2
> > port         389
> > ldap_version 3
> > sudoers_base
> ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> > binddn
> cn=Auth,ou=Applications,ou=blah,dc=blah,dc=com
> > bindpw       blah
> > ssl          (no)
> > ===================
> > ldap_init(10.0.0.1 10.0.0.2,389)
> > ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> > ldap_bind() ok
> >
> found:cn=defaults,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> > ldap sudoOption: 'ignore_local_sudoers'
> > ldap sudoOption: 'logfile=/var/log/sudolog'
> > ldap sudoOption: 'insults'
> > ldap search
> '(|(sudoUser=testuser)(sudoUser=%testgroup)(sudoUser=%testgroup)(sudoUser=ALL))'
> > ldap search 'sudoUser=+*'
> >
> found:cn=testrole,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
> > ldap sudoUser netgroup '+testusers' ... MATCH!
> > ldap sudoHost netgroup '+testhosts' ... MATCH!
> > ldap sudoCommand 'ALL' ... MATCH!
> > Perfect Matched!
> > user_matches=-1
> > host_matches=-1
> > sudo_ldap_check(0)=0x02
> > Password: <enter anything with keyboard>
> > [root at testhost ~]#
> >
> > If I do NOT enter a passwd and just hit enter, it won't let me sudo.
> > But if I type correct/incorrect passwd, it lets me.
> >
> > I'm also using the sudo.schema from
> > http://www.courtesan.com/sudo/readme_ldap.html
> >
> > Thanks,
> > Wes
> >
> ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
>



More information about the sudo-users mailing list